Create a CosmosDB Role Assignment using an ARM Template

Marco Papst 31 Reputation points
2021-07-05T14:15:38.86+00:00

I am trying to create a Cosmos DB Role Assignment using an ARM Template. ALl examples I found are creating the role assignments as a child resource of the cosmos account inside the arm template.

Nevertheless, I thought it must be possible to have the role assignment standalone (in my case it does not belong to the database, it belongs to a service which is deployed in a different template as the database).
111867-image.png

The deployment then is complaining about the type of the resource:
The template resource '539f08f1-d75b-5900-a7c1-937cc589c79e' for type 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments' at line '81' and column '76' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must have segment length one greater than its resource name. Please see https://aka.ms/arm-template/#resources for usage details.'. (Code: InvalidTemplate)

Is a single deployment for the role assignment possible using ARM?

Edit:
Got a bit further by finding this: https://video2.skills-academy.com/en-us/azure/templates/microsoft.documentdb/databaseaccounts/sqlroleassignments?tabs=json

Current error:
The Resource 'Microsoft.DocumentDB/databaseAccounts/sqlroleassignment' under resource group '[...]' was not found.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,632 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
808 questions
Accepted answer
  1. Anurag Sharma 17,606 Reputation points
    2021-07-07T07:08:22.677+00:00

    Hi @Marco Papst , for existing role definition, could you please try below template once? 

    {  
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
  "contentVersion": "1.0.0.0",  
  "parameters": {  
    "databaseAccounts_cosmos_name": {  
      "defaultValue": "<yourcosmosaccname>",  
      "type": "String"  
    },  
    "accountName": {  
      "defaultValue": "<yourcosmosaccname>",  
      "type": "String",  
      "metadata": { "description": "Cosmos DB account name, max length 44 characters" }  
    },  
    "principalId": {  
      "defaultValue": "<prinicipalId>",  
      "type": "String",  
      "metadata": { "description": "Object ID of the AAD identity. Must be a GUID." }  
    },  
    "guidValue": {  
      "type": "string",  
      "defaultValue": "[newGuid()]"  
    }  
  },  
  "variables": {  
    "accountName": "[toLower(parameters('accountName'))]",  
    "roleDefinitionId": "[guid('sql-role-definition-', resourceId('Microsoft.DocumentDB/databaseAccounts', variables('accountName')))]",  
    "roleAssignmentId": "[guid('sql-role-assignment-', resourceId('Microsoft.DocumentDB/databaseAccounts', variables('accountName')))]",  
    "unique_string": "[uniqueString(parameters('guidValue'))]"  
  },  
  "resources": [  
    {  
      "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",  
      "apiVersion": "2021-05-15",  
      "name": "[concat(parameters('databaseAccounts_cosmos_name'), '/',guid('newguid', variables('unique_string')))]",  
      "properties": {  
        "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccounts_cosmos_name'), '00000000-0000-0000-0000-000000000002')]",  
        "principalId": "parameters('principalId')",  
        "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccounts_cosmos_name'))]"  
      }  
    }  
  ]  
}

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marco Papst 31 Reputation points
    2021-07-06T14:09:44.947+00:00

    Hi @AnuragSharma-MSFT ,

    thanks for your response. The template is simple and displayed nearly complete in the screenshot.

    It works in this version (most of the time). I think the issues I am running into currently are depending on terraform, where I use an azurerm_resource_group_template_deployment.

    What did the trick:
    -> when type of a resource has three groups (aka 2 "/"), then the name of the resource must have two groups
    -> I solved the "resource was not found" error by adjusting the scope (dunno why, but it works with that)

    My Input parameters are from structure:

    • roleDefinitionId: [id of cosmos db account]/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002
    • roleAssignmentName: [account name of cosmos Db] (I did not manage to change the name of the variable yet)
    • scope: [id of cosmos db account]/dbs/[name of db]/colls/[name of collection]
    • principalId: my aad object id

    especially the scope Id is not good documented and was hard to figure out. 

    {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "roleDefinitionId": {
            "type": "string",
            "metadata": {
                "description": "Name of the Role Definition"
            }
        },
        "roleAssignmentName": {
            "type": "string",
            "metadata": {
                "description": "Name of the Assignment"
            }
        },
        "scope": {
            "type": "string",
            "metadata": {
                "description": "Scope of the Role Assignment"
            }
        },
        "principalId": {
            "type": "string",
            "metadata": {
                "description": "Object ID of the AAD identity. Must be a GUID."
            }
        }
    },
    "variables": { },
    "resources": [
        {
            "name": "[concat(parameters('roleAssignmentName'), '/', guid(parameters('scope')))]",
            "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
            "apiVersion": "2021-04-15",
            "properties": {
                "roleDefinitionId": "[parameters('roleDefinitionId')]",
                "principalId": "[parameters('principalId')]",
                "scope": "[parameters('scope')]"
            }
        }
    ]
}
    0 comments
  2. Anurag Sharma 17,606 Reputation points
    2021-07-07T06:45:45.59+00:00

    Hi @Marco Papst , thanks for replying back. actually we also need to add the sqlroledefinition resource in the ARM template. This definition could be either new one we need to create or use the existing one. Below is the example used for creating an new one. 

    {  
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
  "contentVersion": "1.0.0.0",  
  "parameters": {  
    "databaseAccounts_cosmos_name": {  
      "defaultValue": "<yourcosmosaccname>",  
      "type": "String"  
    },  
    "accountName": {  
      "defaultValue": "<yourcosmosaccname>",  
      "type": "String",  
      "metadata": { "description": "Cosmos DB account name, max length 44 characters" }  
    },  
    "principalId": {  
      "defaultValue": "<prinicipalId>",  
      "type": "String",  
      "metadata": { "description": "Object ID of the AAD identity. Must be a GUID." }  
    },  
    "guidValue": {  
      "type": "string",  
      "defaultValue": "[newGuid()]"  
    }  
  },  
  "variables": {  
    "accountName": "[toLower(parameters('accountName'))]",  
    "roleDefinitionId": "[guid('sql-role-definition-', resourceId('Microsoft.DocumentDB/databaseAccounts', variables('accountName')))]",  
    "roleAssignmentId": "[guid('sql-role-assignment-', resourceId('Microsoft.DocumentDB/databaseAccounts', variables('accountName')))]",  
    "unique_string": "[uniqueString(parameters('guidValue'))]"  
  },  
  "resources": [  
    {  
      "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",  
      "apiVersion": "2021-05-15",  
      "name": "[concat(parameters('databaseAccounts_cosmos_name'), '/', variables('roleDefinitionId'))]",  
      "properties": {  
        "roleName": "My Read Write Role",  
        "type": 1,  
        "assignableScopes": [ "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccounts_cosmos_name'))]" ],  
        "permissions": [  
          {  
            "dataActions": [ "Microsoft.DocumentDB/databaseAccounts/readMetadata", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*" ],  
            "notDataActions": []  
          }  
        ]  
      }  
    },  
    {  
      "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",  
      "apiVersion": "2021-05-15",  
      "name": "[concat(parameters('databaseAccounts_cosmos_name'), '/',guid('newguid', variables('unique_string')))]",  
      "dependsOn": [  
        "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', variables('accountName'), variables('roleDefinitionId'))]"  
      ],  
      "properties": {  
        "roleDefinitionId": "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions', parameters('databaseAccounts_cosmos_name'), variables('roleDefinitionId'))]",  
        "principalId": "<principalid>",  
        "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccounts_cosmos_name'))]"  
      }  
    }  
  ]  
}

    You need to use the correct values for account and principal id in placeholder. This template can further be refined for parameters and variable usage.

    Please let me know if this helps or else we can discuss further.

    ----------

    If answer helps, you can mark it 'Accept Answer'

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.